MISP – Malware Information Sharing Platform and Threat Sharing

The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Intrusion Detection ^(http://www.kitploit.com/search/label/Intrusion%20Detection) System (NIDS), LIDS but also log analysis tools, SIEMs.MISP, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently.

objects ^(https://www.misp-project.org/objects.html) can be expressed and linked together to express threat intelligence, incidents or connected elements.

Built-in sharing functionality to ease data sharing using different model of distributions. MISP can synchronize automatically events and attributes among different MISP. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms.

An intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators. A graphical interface to navigate seamlessly between events and their correlations. An event graph functionality to create and view relationships between objects and attributes. Advanced filtering functionalities and warning list ^(https://github.com/MISP/misp-warninglists) to help the analysts to contribute events and attributes and limit the risk of false-positives.

storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector.

A gentle system to collaborate on events and attributes allowing MISP users to propose changes or updates to attributes/indicators.

data-sharing: automatically exchange and synchronization with other parties and trust-groups using MISP.

delegating of sharing: allows a simple pseudo-anonymous mechanism to delegate publication of event/indicators to another organization.

Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP ^(https://github.com/MISP/PyMISP) which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes. An exhaustive restSearch API to easily search for indicators in MISP and exports those in all the format supported by MISP.

Adjustable taxonomy to classify and tag events following your own classification schemes or existing classification ^(https://github.com/MISP/misp-taxonomies). The taxonomy can be local to your MISP but also shareable among MISP instances.

Intelligence vocabularies called MISP galaxy and bundled with existing threat actors, malware, RAT, ransomware or MITRE ATT&CK ^(https://www.misp-project.org/galaxy.html) which can be easily linked with events and attributes in MISP.

Expansion modules in Python to expand MISP with your own services or activate already available misp-modules ^(https://github.com/MISP/misp-modules).

Sighting support to get observations from organizations concerning shared indicators and attributes. Sighting can be contributed ^(https://www.circl.lu/doc/misp/automation/index.html#sightings-api) via MISP user-interface, API as MISP document or STIX sighting documents.

STIX support: import and export data in the STIX version 1 and version 2 format.

Real-time publish-subscribe channel within MISP to automatically get all changes (e.g. new events, indicators, sightings or tagging) in ZMQ (e.g. misp-dashboard ^(https://github.com/MISP/misp-dashboard)) or ElasticSearch logging.

Exchanging info results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that others team or organizations who already analyzed a specific malware.

A sample event encoded in MISP:

Website / SupportCheckout the website ^(https://www.misp-project.org/) for more information about MISP software, standards, tools and communities.Information, news and updates are also regularly posted on the MISP project twitter account or the news page ^(https://www.misp-project.org/news/).

DocumentationMISP user-guide (MISP-book) ^(https://github.com/MISP/misp-book) is available online ^(https://www.circl.lu/doc/misp/) or as PDF ^(https://www.circl.lu/doc/misp/book.pdf) or as EPUB ^(https://www.circl.lu/doc/misp/book.epub) or as MOBI/Kindle ^(https://www.circl.lu/doc/misp/book.mobi).For installation guide see INSTALL ^(https://github.com/MISP/MISP/tree/2.4/INSTALL) or the download section ^(https://www.misp-project.org/download/).

Download MISP ^(https://github.com/MISP/MISP)

Author: Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education). View all posts by Marshmallow